vtpm: add method to get sha256 PCRs from Quote

Internally the PCRs are still represented as `Vec<Vec<u8>`, due to serialization concerns of large arrays. For the consumer a fixed byte array `Vec<[u8; 32]` is more convenient, so you don't have to perform runtime assertions on the vector size. A test has been added to make sure the transformation is non-destructive. Signed-off-by: Magnus Kulke <[email protected]>
kinvolk · Feb 15, 2024 · 1cfccfc · 1cfccfc
1 parent de7ee48
commit 1cfccfc
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 5 deletions.
diff --git a/az-cvm-vtpm/Cargo.toml b/az-cvm-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-cvm-vtpm"
-version = "0.5.1"
+version = "0.5.2"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"

diff --git a/az-cvm-vtpm/az-snp-vtpm/Cargo.toml b/az-cvm-vtpm/az-snp-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-snp-vtpm"
-version = "0.5.1"
+version = "0.5.2"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -17,7 +17,7 @@ path = "src/main.rs"
 required-features = ["attester", "verifier"]
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.1" }
+az-cvm-vtpm = { path = "..", version = "0.5.2" }
 bincode.workspace = true
 clap.workspace = true
 openssl = { workspace = true, optional = true }

diff --git a/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml b/az-cvm-vtpm/az-tdx-vtpm/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "az-tdx-vtpm"
-version = "0.5.1"
+version = "0.5.2"
 edition = "2021"
 repository = "https://github.com/kinvolk/azure-cvm-tooling/"
 license = "MIT"
@@ -16,7 +16,7 @@ name = "tdx-vtpm"
 path = "src/main.rs"
 
 [dependencies]
-az-cvm-vtpm = { path = "..", version = "0.5.1" }
+az-cvm-vtpm = { path = "..", version = "0.5.2" }
 base64-url = "2.0.0"
 bincode.workspace = true
 serde.workspace = true

diff --git a/az-cvm-vtpm/src/vtpm/mod.rs b/az-cvm-vtpm/src/vtpm/mod.rs
@@ -129,7 +129,23 @@ pub struct Quote {
     pcrs: Vec<Vec<u8>>,
 }
 
+fn pad<const T: usize>(input: &[u8]) -> [u8; T] {
+    let mut output = [0; T];
+    let len = input.len();
+    if len > T {
+        output.copy_from_slice(&input[..T]);
+    } else {
+        output[..len].copy_from_slice(input);
+    }
+    output
+}
+
 impl Quote {
+    /// Retrieve sha256 PCR values from a Quote
+    pub fn pcrs_sha256(&self) -> Vec<[u8; 32]> {
+        self.pcrs.iter().map(|x| pad(x)).collect()
+    }
+
     /// Extract nonce from a Quote
     pub fn nonce(&self) -> Result<Vec<u8>, QuoteError> {
         let attest = Attest::unmarshall(&self.message)?;
@@ -202,3 +218,18 @@ pub fn get_quote(data: &[u8]) -> Result<Quote, QuoteError> {
         pcrs,
     })
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_pcr_sha256() {
+        let quote_bytes = include_bytes!("../../test/quote.bin");
+        let quote: Quote = bincode::deserialize(quote_bytes).unwrap();
+        // convert Vec of fixed byte array to Vec of Vec<u8>
+        let pcrs_sha256: Vec<Vec<u8>> = quote.pcrs_sha256().iter().map(|p| p.to_vec()).collect();
+        assert_eq!(pcrs_sha256.len(), 24);
+        assert_eq!(pcrs_sha256, quote.pcrs);
+    }
+}